Press "Enter" to skip to content

SolarWinds: What happened in the past week and a half?

I’m going to put this last as a roundup of what has changed with the SolarWinds hack since we last talked.

SolarWinds has updated their advisory for the SUPERNOVA malware, which included additional information on how it was leveraged.

Microsoft has revealed that its systems were infiltrated further, and that hackers were able to “view source code in a number of source code repositories.”     The company has also indicated that they believe the end goal of the compromise was to pivot to customers cloud assets.

The US Cybersecurity and Infrastructure Agency has asked all US government agencies to update their installations by by the end of 2020 – and if they could not, to take those systems offline.  

The New York Times is reporting that US investigators are examining if the incursion originated in Eastern Europe, which is where some of SolarWinds software was engineered. 

I’m including a link to a description of the “Golden SAML” technique used in this attack, which “is an attack vector that can serve sophisticated attackers in their post-exploitation stages allowing them to maintain persistency and gain access to different services in a convenient and stealthy manner.“  This incident mrks the first time most researchers have seen this in the wild.

Additionally, I’m including a link to a piece on a five stage “hack” scale, useful for differentiating these issues. 

  • Stage 0: The attackers have found or made an entry point to systems or the network but haven’t used it or took no action.
  • Stage I: Attackers have control of a system but haven’t moved beyond the system to the broader network.
  • Stage II: Attackers have moved to the broader network and are in “read-only” mode meaning they can read and steal data but not alter it.
  • Stage III: Attackers have moved to the broader network and have “write” access to the network meaning they can alter data as well as read and steal it.
  • Stage IV: Attackers have administrative control of the broader network meaning they can create accounts and new means of entry to the network as well as alter, read and steal data.